blog.dataforce.org.uk

Even the most complex captchas can be bypassed, if not tested thoroughly enough.

Some time ago, I implemented a captcha on my comments form for news posts, to stop spam bots. My captcha is quite complicated, and sometimes generates images that even humans strugle on, yet for some reason I managed to get 10788 spam comments!

I immediately tested my captcha - tried with no value, a wrong value, a right value, only the right one worked.

Then I tried in a different window, open 2 tabs to the same comment, submit the 2nd one with no data and get told the correct captcha, then try using that on the first window, this also didn’t work - however, it told me the correct captcha was “”, upon hitting back and trying with no captcha, it worked.

Turns out I had forgot to make "" an invalid captcha when testing if the values were correct, seeing as when you submit the captcha, it clears the captcha session, a blank value WAS indeed the same value that was stored in the session! The spam bots were just not accepting the session, and thus had a blank captcha - and by them not filling in the captcha, and not accepting the session, they were able to submit comments. This has now been fixed, and a blank captcha will now give an error of “Captcha Timeout”.

Fortunately, 3 Simple SQL Queries pruned the lot :) 1 of which pruned 7900+. Silly bots being so similar!